New Netwrix Auditor bug could cause attackers to compromise Active Directory domain


Researchers have released details about a vulnerability in the Netwrix Auditor application that, if successfully exploited, could lead to arbitrary code execution on affected devices.

“Because this service typically runs with extended privileges in an Active Directory environment, the attacker would likely be able to penetrate the Active Directory domain,” said Bishop Fox. said in an advisory published this week.

auditor is a control and visibility platform that enables organizations to get a consolidated view of their IT environments, including Active Directory, Exchange, file servers, SharePoint, VMware and other systems, all from a single console.

Netwrix, the company behind the software, claims more than 11,500 customers in more than 100 countries, such as Airbus, Virgin, King’s College Hospital and Credissimo.

The flaw, which affects all supported versions prior to 10.5, has been described as a unsafe object deserializationthat occurs when untrusted, user-controllable data is parsed to perform remote code execution attacks.

The root cause of the bug is an unsecured .NET remoting service accessible on TCP port 9004 on the Netwrix server, which allows an actor to execute arbitrary commands on the server.

“Because the command was run with NT AUTHORITY\SYSTEM privileges, exploiting this issue would allow an attacker to completely compromise the Netwrix server,” said Bishop Fox’s Jordan Parkin.

Organizations relying on Auditor are encouraged to update to the latest version, 10.5, released on June 6, to avoid potential risks.